Category Archives: For Business

What Is EDR and Why Is It Important?

Oftentimes, your organization’s endpoints can become key entry points for cyber attackers. With the evolution of workplace mobility and employees connecting to the Internet from their off-site endpoints across the globe, it should come as no surprise that devices are becoming increasingly vulnerable. And without the proper cybersecurity protection measures in place, malicious hackers can easily take advantage of any existing vulnerabilities. This is why the need for enhanced security tools that surpass traditional Firewalls and Antivirus solutions has emerged as an undeniably top priority for organizations large and small. EDR (short for Endpoint Detection and Response) is the term that encompasses threat hunting, prevention, and detection tools and has become the golden standard in cybersecurity.

In this article, I will try to elude what Endpoint Detection and Response (EDR) is and why it has become a vital part of your business.

Cybercriminals do their utmost to successfully target and attack your company’s endpoints for various reasons. They might want to exfiltrate your data or hold it for ransom, override your machines, exploit them in a botnet and conduct DDoS attacks, and much more.

What does EDR mean?

The term EDR stands for Endpoint Detection and Response (or Endpoint Threat Detection & Response). It was coined in 2013 by Anton Chuvakin, former VP and security analyst at Gartner, now security product strategist at Google:

“After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.” Anton Chuvakin, Gartner’s blog

Essentially, Endpoint Detection Response (EDR) systems have been created to detect and actively respond to sophisticated malware and cyber-attacks. EDR solutions can recognize suspicious patterns that can be further investigated later on. As implied by their name, these tools have been designed specifically for endpoints (and not networks).

Why is EDR important?

Compared to traditional security solutions, EDR provides enhanced visibility into your endpoints and allows for faster response time.

Furthermore, EDR tools detect and protect your organization from advanced forms of malware (such as polymorphic malware), APTs, phishing, etc. It’s also worth mentioning that EDR solutions are based upon machine learning algorithms designed to spot yet unknown types of malware, which will subsequently make behavior-based categorization decisions.

In essence, if certain files seem to behave maliciously (and similar to already known kinds of malware), they will not manage to bypass EDR solutions.

EDR vs. Antivirus – What’s the difference?

In the past, a traditional Antivirus solution may have sufficed to cover the protection of your endpoints. But as malware evolved into more advanced and pervasive forms, it became clear that Antivirus was no longer enough and that prevention and detection mechanisms needed to keep up with the ever-evolving threatscape.

EDR solutions have several unique features and benefits which conventional Antivirus programs do not deliver.

Compared to the novel EDR systems, traditional Antivirus solutions are simpler in nature and should be seen as an important component of EDR.

Normally, Antivirus tools accomplish basic tasks such as scanning, detection, malware remover.

On the other hand, EDR is superior to the traditional Antivirus (which uses signature-based threat detection methods). EDR tools are much broader in scope and should include multiple security layers such as attack blocking, patching, exploit blocking, firewall, whitelisting/blacklisting, full category-based blocking, admin rights management, and a next-gen Antivirus.

EDR security solutions are therefore more suitable for today’s businesses as the traditional Antivirus has become an archaic security tool in terms of guaranteeing complete security.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

The main characteristics and benefits of EDR

The features of Endpoint Detection and Response tools can vary from vendor to vendor, yet we can notice a few main characteristics that define EDR and that are considered essential. Each tool can have a certain degree of sophistication, but below I would like to point out the five major characteristics of EDR:

#1. Integration with multiple tools

EDR solutions always come in multiple tools/layers. They feed intelligence into each other to successfully protect your organization from multiple angles.

#2. Alerts, reporting, and a unified overview of your environment

A dashboard that provides access to your endpoints’ protection status should be a mandatory feature of any EDR solution. At the same time, you should be able to receive timely alerts and have the capability to identify and monitor endpoint security threats and vulnerabilities.

Also, running reports for compliance purposes is a crucial aspect of all EDR tools.

#3.  Advanced response capabilities and automation

An EDR technology should provide you with specialized tools for assessing and reacting to security incidents, including prevention, detection, threat intelligence, and forensics. At the same time, automation capabilities are essential.

#4. Global availability

EDR should allow you not to be dependent on platform constraints and be able to manage your environment wherever you or your teams are, at the time of your choosing.

#5. Prevention

Last in order but not of importance, an effective EDR technology must offer prevention methods and adaptive protection against next-generation malware, based on behavioral analysis of incoming and outgoing traffic in your organization, in order to prevent and mitigate attacks that cannot be detected by reactive solutions like an Antivirus.

Why Is HeimdalTM’s EDR technology the best on the market? Introducing E-PDR, the next-gen approach to EDR.

We’ve combined an Endpoint Protection Platform (EPP) with Endpoint Detection and Response (EDR) and achieved what we consider to be the golden standard in cybersecurity: E-PDR (Endpoint Prevention, Detection, and Response).

Below I will discuss the numerous ways in which you can benefit from our E-PDR technology, superior to other existing EDR tools.

First of all, HeindalTM’s EDR brings you real-time proactive security via DNS filtering, smart threat hunting, proactive behavioral detection, automated patch management, a next-gen Antivirus, and a module for automated admin rights escalation/de-escalation procedures. Thus, we deliver a layered security approach within a single and lightweight agent. Our customers get access to next-gen endpoint threat prevention and protection from existing and undiscovered threats, plus a market-leading detection rate and compliance, all in one package.

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

By combining Thor Foresight Enterprise and Thor Vigilance Enterprise you will obtain proactive IOCs and enhanced IOAs and gain a unique EDR ability to mitigate even concealed or unknown malware.

Secondly, our dashboard always provides you with notifications and warnings for all active clients. It offers real-time threat and status reporting, delivered in the interval of your choosing. Your data will be graphed and scaled daily, weekly, or monthly and it can also be integrated into SIEM via API. The HeimdalTM Security Unified Threat Dashboard (UTD) stores the entire history throughout your customer lifecycle and helps you perform compliance audits and risk assessments. Alongside weekly reports, data exports, e-mail alerts, and built-in data drill down, the HeimdalTM UTD offers a powerful yet simple way to manage your environment.

Our platform also enables you to define policies for each of your components in great detail. For example, you can refine the blacklisting of websites, files, processes, or patches per active directory group of your HeimdalTM environment. This will give you the powerful option to individually tailor your IT environment and create policies to fit your exact needs across the Active Directory groups in your organization. Once configured, the HeimdalTM deployment is simple and easy and can happen through any MSI deployment tool.

Thirdly, because we’ve taken into consideration the evolving needs of the global enterprise, our E-PDR technology works anytime and anywhere in the world, for both on-site and remote work set-ups.

Last but not least, our multi-layered security suite combined into our E-PDR system comes in a user friendly and easy to deploy agent, that will be extremely lightweight on your systems and will certainly become the greatest time-saver for your sysadmins.

Conclusion

No matter which EDR solution you end up choosing, make sure it can be scaled up and down and that it fits your organization’s needs.

Should you want to try out our EDR technology, please register on the website or contact us as sales.inquiries@heimdalsecurity.com.

 

The post What Is EDR and Why Is It Important? appeared first on Heimdal Security Blog.

Patch Tuesday: Microsoft Fixes 111 Vulnerabilities. Some Allow Remote Code Execution and Admin Rights Abuse

The May 2020 Patch Tuesday security updates have recently been released, with 111 patched vulnerabilities related to 12 different Microsoft products, such as Windows, Edge, Visual Studio, and the .NET Framework. The tech giant issued 115 patches in March and 113 in April this year and the May 2020 edition turned out to be the third-largest Patch Tuesday ever seen. This month’s batch did not contain any zero-days.

As always, HeimdalTM Security advises you to apply these patches at your earliest convenience. None of the bugs have been identified as being actively exploited or mentioned until now. Still, if you’re running Windows on your endpoints, it’s high time to get these security flaws patched.

Read on to learn more about the May 2020 Patch Tuesday.

May’s 2020 batch of Microsoft patches, the third-biggest ever released

May is the third month in a row when Microsoft rolled out patches on its operating system and associated software for more than 110 security vulnerabilities. Luckily, there don’t seem to be any zero-day vulnerabilities to be fixed. However, there are certain bugs in Windows that need to be kept in mind and addressed.

At least 16 of the vulnerabilities are marked as “Critical,” indicating they can be abused by cybercriminals to install malware or gain remote control of compromised systems with little to no user intervention.

Significant vulnerabilities to be noted

Below we’ve listed a few instances you should consider.

This month, Microsoft fixed three critical Microsoft Edge vulnerabilities which could enable intruders to execute remote code by tricking users into visiting their specially created website. If abused, these flaws might allow malicious hackers to execute commands with full admin rights on the targeted device. At the same time, a bug in the Color Management Module (ICM32.dll) allows code execution after cybercriminals would have fooled users into accessing infected websites. Also, a remote code execution vulnerability can be noticed in Windows.

  • CVE-2020-1056 | Microsoft Edge Elevation of Privilege Vulnerability

Under this scenario, there is an elevation of privilege risk as Microsoft Edge does not fully implement cross-domain policies, which could enable intruders to access and inject data from one domain into another.

Attackers would have to host a malicious website used to exploit the vulnerability. In any case, though, intruders will have no means to force users to access information that is manipulated by the criminals and they would have to trick people into clicking a link that redirects the victims to the attackers’ website.

An intruder who abuses this flaw successfully can escalate privileges in affected versions of Microsoft Edge. This security update addresses the vulnerability by making sure Microsoft Edge enforces cross-domain policies correctly.

Should attackers convince users to access a malicious link, the attackers’ website “could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services”.

This patch fixes a bug by changing how HTTP responses are parsed via Microsoft Edge.

  • CVE-2020-1096 | Microsoft Edge PDF Remote Code Execution Vulnerability

The CVE-2020-1096 vulnerability refers to the way Microsoft Edge handles objects in memory. More precisely, this vulnerability has the potential to corrupt memory, enabling malicious actors to execute arbitrary code on the machine.

Once successfully exploited, the bug would allow attackers to obtain the same user rights as the victim. Should the current user be logged on with full admin rights, the cybercriminal could completely take over the affected endpoint and perform malicious actions.

This kind of attack could be triggered if users are tricked into accessing the attackers’ website, where malicious PDF content would have to be stored.

  • CVE-2020-1117 | Microsoft Color Management Remote Code Execution Vulnerability

This bug is connected to the faulty way in which the Color Management Module (ICM32.dll) handles objects in memory. Users with full admin rights are heavily impacted, since the vulnerability would permit malicious hackers to completely take control of the targeted systems, allowing them to “install programs; view, change, or delete data; or create new accounts with full user rights”.

Similar to the abovementioned attack scenarios leveraged by this Patch Tuesday’s addressed vulnerabilities, in this case, users would also have to be fooled into entering malicious websites belonging to the attackers or opening infected email attachments.

The newly released security update corrects the improper way in which Windows handles objects in memory. An intruder who effectively abused the flaw would able to run arbitrary code with elevated rights on a targeted machine. The attacker who has a domain user account may craft a specially designed request to exploit the bug, enabling Windows to run arbitrary code with elevated permissions.

Did you know that 100% of vulnerabilities in Microsoft browsers and 93% in Windows OS can be mitigated by removing local admin rights?

Our unique privileged access management (PAM) tool, Thor AdminPrivilege™, allows you to efficiently manage admin rights inside your organization. It is the only solution that enables you to both escalate and de-escalate user privileges and the only tool that automatically de-escalates user rights on infected endpoints (when used in tandem with the Enterprise version of Thor Foresight, Thor Vigilance or Thor Premium).

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

Bottom Line

We would also like to remind you that many of the bugs patched in today’s Microsoft patch batch impact Windows 7 operating systems, which no longer receive security updates unless your company has signed up for the Microsoft’s Windows 7 Extended Security Updates (ESU) paid service. If you are still running Windows 7 on any of your devices, HeimdalTM Security advises you to upgrade to Windows 10.

All of our Thor Foresight Enterprise and X-Ploit Resilience customers are always being provisioned in a timely manner with the latest Microsoft patches (both Windows and 3rd party) in a timely manner. Sign up for a free demo to learn how automated patch management can add a powerful layer of defense to your organization.

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

The post Patch Tuesday: Microsoft Fixes 111 Vulnerabilities. Some Allow Remote Code Execution and Admin Rights Abuse appeared first on Heimdal Security Blog.

Back to Work After Lockdown: Cyber Risks of the Post-Pandemic Era

In the wake of China lifting some of its lockdown restrictions in the Wuhan province, most of the world is looking forward to getting back to ‘normal’. According to the World Health Organization, this transition from government-enforced lockdown to a quasi-repose state, should not be taken lightly nor perceived as a callback to ‘normalcy’.

As many epidemiologists pointed out, we have yet to reach the ‘infection’ peak, meaning that a second viral wave may be lurking around the corner. In the interim, with several European countries dropping part of the lockdown-specific rules, company-owners are making the necessary preparations to accommodate all the employees who were sent to work from home.

Many challenges lie ahead, most being related to (re)constructing a (the) work environment and how to achieve total compliance with the governmental recommendations/regulations – which, literally translates to how to keep your employees safe in the ‘Post-Pandemic Era’. The apostrophes are not poetic license – the coronavirus pandemic is far from over and it’s important to keep that in mind when you begin drafting the plans on how to bring everyone back to the office.

There is another consideration – your company’s cybersecurity factor. Up till now, your sysadmins were focused on making telecommuting work – configuring the network, installing additional equipment, researching remote work-specific software.

However, not that the employees will be returning to the office, the focus must shift back to on-site network admin, which, among other things, means getting up-to-speed with your cybersecurity policies (or lack of).

In this article, I am going to go over Heimdal™ Security’s return-to-the-office, cybersecurity recommendations. And because this is a race against time, I’m going to show you how to cut some corners (not in a bad way).

The post-pandemic era office

It’s only natural to have some reservations about going back to the office. After all, we did spend the last couple of months being told to stay at home, wash our hands, and practice social distancing. The idea of heading back to the office, while the coronavirus is still active, may seem foreboding. Perhaps even confusing – how can we even think about venturing into the world when the authorities are still struggling to contain COVID hotbeds that appear overnight?

Some WHO-associated sources mentioned something about the ‘death of normalcy’. In other words, we can never go back to what we believed was ‘normal’ because the very idea of ‘commonplaceness’ is what led us to this conundrum.

We need to change and that’s a fact. ‘But how?’ is the question du jour. Do we simply go back to our regular, and very mundane, 9-to-5 lives, knowing that the virus is still around? There’s no doubt that all of them are legitimate questions, which I will be addressing throughout this article.

Is it safe to go back to work? Health authorities from around the globe have already begun loosening the lockdown restrictions, allowing some industries to resume production. For instance, the Spanish health authorities, partly encouraged by the decrease in new coronavirus cases/casualties, have cleared the ‘restart’ for the construction and manufacturing industries.

On Monday, by ministerial decree, workers employed in these two sectors will return to work. I would like to remind the readers that Spain has been under lockdown since the middle of March.

Moreover, Spain is ranked fourth in deaths caused by the new coronavirus, after the United States, UK, and Italy. It’s encouraging news indeed, considering how hard this country was hit. Spain is not the only country to loosen its lockdown restrictions to stabilize the economy.

On the 25th of April, three US states (Georgia, Alaska, and Oklahoma), have taken the first steps in loosening some of the lockdown orders, despite the US’s death toll is around 70,000 and climbing. Even life in China, which is considered the first coronavirus hotbed, is slowly returning to normal, with more business relaunching every single day.

Returning to the office is possible and feasible. However, it will look entirely different compared to what your employees had in mind.

First of all, as an employer, you are bound by law to take every necessary to ensure the safety of your workforce and help the health authorities stem the spread of this contagion. So, right from the start, two aspects need to be tackled: legal and health-related. Of course, an equally important aspect is cybersecurity. Let’s take a closer look at each of them.

Legal Implications of Returning to Work

According to the White House officials, employers can recall the staff on premises if they meet all the requirements laid down and enforced by federal, state, and local officials. The document in question is broken down into several sections, each of them addressing a certain social category (healthcare providers, employers, employees, specific employees, and businesses). Below, you will find an excerpt from the White House’s tri-phase plan.

Guidelines for all phases

Employers:

Develop and implement appropriate policies, per Federal, State, and local regulations and guidance, and informed by industry best practices, regarding:

  • Social distancing and protective equipment
  • Temperature checks
  • Sanitation
  • Use and disinfection of common and high-traffic areas
  • Business travel

Monitor the workforce for indicative symptoms. Do not allow symptomatic people to physically return to work until cleared by a medical provider.

Develop and implement policies and procedures for workforce contact tracing following employee COVID + test.”

Source: White House Gov – Opening America (Guidelines)

The European Union has also laid down strict guidelines regarding how employers should (re)act when recalling employees. According to the OSHwiki, EU’s plan of reopening businesses focuses:

  1. Minimizing exposure to COVID-19 after recalling employees,
  2. Updating your company’s risk assessment plan[i];
  3. Adapting the environment’s layout as to comply with the health authorities’ recommendations regarding social distancing and other health-related concerns;
  4. Identifying employees that are in the high-risk groups and creating a hazard-free work environment[ii];
  5. Maintaining communication with your occupational health service;
  6. Miscellaneous measures that can help your workforce cope with the changes produced by the coronavirus outbreak (i.e. a counselor to help your employees overcome anxiety, or depression, as side-effects of long-term isolation).

The same document also provides some insight on telework – bringing everybody back to the office at once would violate the social distancing rule. The obvious solution would be to allow some of your employees to continue working from home. In the long run, you can work out a rotation-based schedule to get everyone back.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Cybersecurity concerns in the Post-Pandemic Era

In terms of cybercrime, the coronavirus did nothing to stop or at least dilute the number of cyberattacks. Although in some countries the healthcare system is on the brink of collapse, that did not stop malicious actors from taking advantage of the confusion to stage debilitating ransomware attacks. The oil industry has also been targeted, as well as SMBs that fast-tracked the remote work initiative while sacrificing their cybersecurity posture.

Because I do a lot of research in the cyber-resilience area, I usually come across various forums where sysadmins ask all kind of security-related questions. In one thread, there was this sysadmin who said that his CEO ordered him to give every employee admin-type privilege before sending them to work from home. Needless to say, this type of praxis can lead to all manner of entanglements, not to mention the fact that you would be offering hackers several access points for data exfiltration.

This should be in a way construed as typical corona-related behavior. It goes further than that. Oftentimes, decision-makers, who lack cybersecurity training, will often make the mistake of overruling the sysadmin’s decisions in the area of security. A grave mistake, indeed, one that can cost companies millions of dollars.

Consider an alternative scenario – a lack of funding. An expanding startup just doesn’t have the financial needs to secure all the vital areas, leaving sysadmins to work with the tools they have on hands. Take patching, for instance. Nobody gives patching any attention until the company reaches the 20+ endpoint milestone. Then it becomes problematic, especially when there is only one sysadmin. What happens after that?

System administrators will use automatic patching and deployment solutions like WSUS and SCCM to ensure that are endpoints are running the latest Windows versions or that the proprietary software has been patched.

Even when you’re overseeing a 20+ endpoint network, using either one of those can create more issues than they can solve. This is not me putting the kibosh on Microsoft’s auto-patching, management, and deployment software, but, considering the speed that was required to set up a stable remote work network, SCCM and WSUS is simply not feasible.

Readers should remember that more than 80% of a machine’s vulnerabilities can be fixed through patching. Right now, the emphasis is on automatic tools that can deploy patches and updates on the fly.

Heimdal™ Security’s Thor Premium Enterprise, our company’s unique threat-hunting, and vulnerability remediation solution can help your sysadmin deploy updates and patches from anywhere in the world. Thor Premium Enterprise is a cloud-native solution, which means that you won’t have to worry about saving those patches/updates locally before they are applied.

Furthermore, on-demand, you can also add Infinity Management to your Thor Premium Enterprise suite. IM provides you with granular control over your endpoints and, most importantly, over what kind of software was installed on those machines. From there, you can force-install applications, roll back to a previous version, deploy and install proprietary software\update\patches, and much more.

Wrap-up

Back to work in the Post-Pandemic era? It is possible, but we have and need to follow some rules. As a company-owner, you have to guarantee the safety of your employees, no matter if it’s related to health or cybersecurity.

One sensible step towards reopening your business would be to work with the local authorities to make sure you meet all the requirements. Furthermore, you should also offer some degree of flexibility. Perhaps not all of them are thrilled at the thought of going back to the office considering that the coronavirus pandemic is far from over. Be mindful of your employees’ wishes and work with them to come up with the best solution.

[i] A company-wide analysis that must include a risk evaluation paper, risk control, safety measures, mitigation, risk management tools, and training.

[ii] If your office cannot guarantee the safety of your high-risk employees during regular office hours, it’s advisable to allow them to continue working from a home-type environment.

The post Back to Work After Lockdown: Cyber Risks of the Post-Pandemic Era appeared first on Heimdal Security Blog.

What Are the Main Vectors of Attack in Cybersecurity and How Do They Work?

Today’s dangerous cyber landscape demands all businesses to position themselves ahead of cybercriminals in order to maintain their safety. This always starts with identifying your weaknesses, understanding how your company may become compromised, and implementing the most appropriate prevention and detections methods that will help you achieve cyber resilience. But first, you have to understand what vectors of attack you can encounter that may disrupt your business.

What are vectors of attack?

Vectors of attack (or threat vectors) refer to the pathway that cyber attackers take to infiltrate your organization. In essence, an attack vector is a process or route a malicious hacker uses to reach a target, or in other words, the measures the attacker takes to conduct an attack.

Typically, attack vectors are intentional threats (rather than unintentional), as they do require some planning and analysis.

Various entities may exploit these vectors of attack, ranging from upset former employees to malicious hackers, cyber espionage groups, competitors, and more. Regardless of the person or group involved, they may either want to disrupt your business or steal your technology, confidential information or extort money from your employees. In any event, they will do their utmost to successfully utilize attack vectors and gain access to your systems.

Attack vectors vs. Attack surface

Attack vectors are the methods cybercriminals use to gain unauthorized access to a system, while an attack surface refers to the total number of attack vectors used by an intruder to control or steal data from your network or endpoints.

Attack vector examples in cybersecurity

Below I will briefly discuss the most common examples of vectors of attack that can threaten your organization.

#1. Insider Threats

Insider threat is one of the most common attack vectors. Still, not all types of insider threats are malicious, as naïve employees can sometimes inadvertently expose internal data. However, ill-intentioned individuals working for a company may intentionally disclose confidential information or plant malware, being fueled by various motives and for their own personal gain.

The most recent insider threat statistics reveal alarming issues that need to be considered and addressed by all organizations. For example, insider threats have increased by 47% in the past two years and 70% of organizations are witnessing more frequent insider attacks.

#2. Phishing

Phishing is merely one of many hats that social engineering wears. It involves manipulation tactics adopted by a malicious individual whose ultimate purpose is to trick employees into clicking on suspicious links, opening malware-infected email attachments, or giving away their login credentials.

The most insidious subtype of phishing is spear phishing, where very specific employees are observed in great detail only to be targeted later on by cybercriminals. This phenomenon is also part of the rising threat of Business Email Compromise (BEC), a highly sophisticated practice that can devastate companies of all sizes.

#3. Business partners

Third-party organizations can also become major vectors of attack in cybersecurity.

Some of the biggest security incidents and data breaches have been caused by vendors. Supply chain attacks are a common way for attackers to target a vendor’s customers. This is the reason why organizations large and small together with their business partners must foster a culture where cybersecurity best practices are shared and mutual transparency is demonstrated.

#4. Weak or compromised login credentials

Should your employees’ authentication credentials be too weak or become comprised, they may turn out to be an attacker’s surefire way to gain unauthorized access to your IT systems.

Usernames and passwords are the most popular form of authentication that can easily be abused through phishing, data leaks, and credential-stealing malware, giving intruders free access to your workers’ accounts.

Brute-force attacks (the practice through which attackers submit multiple passwords with the purpose of eventually guessing them) are also a serious vector of attack. In the wake of the novel coronavirus pandemic, Heimdal™ Security’s data has revealed that the number of brute-force attacks has increased exponentially. We have noticed a 5% increase in brute-force attacks after the majority of employees have started working from home.

#5. Ransomware / Malware

Ransomware continues to be a highly lucrative business for cybercriminals. Given its huge profits, it’s no surprise that ransomware has even developed into a “business” model – Ransomware as a Service. This allows it to become easily accessible even to people with rather poor technical skills but determined to profit from vulnerable users.

Unpatched vulnerabilities in your systems can allow ransomware to pass through. The most notorious ransomware attacks to date (such as WannaCry and NotPetya) could have been avoided if systems had been patched on time.

At the same time, the huge palette of other existing types of malware can facilitate the infiltration of malicious hackers inside your organization – think about worms, trojans, rootkits, adware, spyware, file-less malware, bots, and many more.

And do keep in mind that everything I’ve listed above refers to only a few vectors of attack that can affect your business.

How to protect your organization from threat vectors

Protecting your business from different attack vectors will not be difficult with the proper resources in place. Below I’ve included the main aspects you should focus on to reduce the risk of threat vectors and prevent potential future attacks.

#1. Educate your employees

We are strong advocates for continuous security education and we believe cybersecurity awareness training sessions should always be mandatory for your employees. Workers should hone their cybersecurity skills periodically, as prevention is key to keeping your business safe in today’s digital landscape. As long as cybercrime continues to thrive and be profitable, cybersecurity training should be a continuous journey inside your company.

Your workers must be taught to recognize the signs of phishing, BEC, how to create their passwords based on your internal password policy and avoid the most common password mistakes, identify different types of malware, and learn how to report cybersecurity incidents and potential threats. You can also try running phishing simulations to help them identify the tell-tale signs of phishing and avoid falling prey to these attacks.

#2. Apply the Principle of Least Privilege (PoLP)

Limiting your users’ rights to the lowest level possible that still allows them to successfully perform their tasks is the cornerstone of PoLP. This practice closes multiple security holes inside your organization, while it allows you to achieve granular control over the actions performed and eliminate the danger of insider threats.

For instance, HeimdalTM Security’s Thor AdminPrivilege is a powerful Privileged Access Management (PAM) solution that simplifies the burdensome tasks of sysadmins who now have to manually escalate and de-escalate user permissions.

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

#3. Use the right cybersecurity tools

Sometimes, even the most knowledgeable employees (cybersecurity-wise) may accidentally click on malicious links or open infected email attachments. And in certain instances, cybercriminals are doing a great job masquerading as your employees’ superiors or other authoritative figures and manage to trick them into transferring large amounts of money to their accounts. For this reason, our HeimdalTM Security experts have designed next-gen cybersecurity tools and technologies with very specific vectors of attack in mind, to help organizations avoid multiple attack scenarios.

Prevention, detection, and response are the bedrock of our philosophy. As it would be impossible to discover threats individually, we’ve gone beyond signature-based anti-malware solutions that only pick up known threats. As malware attack vectors are ever-growing in size and sophistication, we look at the Internet’s infrastructure to catch threats that traditional Antivirus don’t see. We’ve developed a highly sophisticated DNS filtering solution that blocks network communication to Command & Control servers, Ransomware, next-gen attacks, and data leakages.

At the same time, since we understand the burden of manual patching, we’ve combined Windows and 3rd party software patch management into a single tool to help you remove the risk of unpatched software and systems, all at once.

Thor Premium Enterprise is our EPDR (Endpoint Prevention, Detection, and Response) solution, which combines DNS filtering, Automated Patch Management, and a next-gen Antivirus within a single interface so that you can have a complete overview on your environment.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

To Sum Up

To evade threat vectors, organizations must simultaneously rely on an ongoing employee cybersecurity education and the proper tools.

Adopting a DNS-based approach to security, which analyzes and monitors network threats and is successful in detecting unknown malware and emerging threats is essential. At the same time, eliminating attack vectors related to unpatched software and systems, as well as properly managing admin rights will help you neutralize cyber threats before they damage your organization.

The post What Are the Main Vectors of Attack in Cybersecurity and How Do They Work? appeared first on Heimdal Security Blog.

Ensuring Data Security with Business Process Outsourcing Companies

The business processing outsourcing industry is known for generating savings and top-quality services for their clients. Enterprises in the West started the trend and has since relied on the East for their operations. 

From its beginnings in manufacturing and call centres, the industry has widened its offerings to accounting, human resources, and even professional services. This gives way to the rise of high-value outsourcing, including research and development and other innovation strategies getting outsourced. Affordable high-quality technology also made it possible for small and medium businesses to try it.

Despite its popularity, many businesses worry about the risks of outsourcing their projects to a low-cost country. This includes data and cybersecurity concerns and how these companies handle it. 

Most BPO companies follow the data and compliance standards set by institutions such as ISO and HIPAA. Even when working remotely, they make sure that these standards and processes are followed.

The COVID-19 pandemic, which causes disruptions to businesses worldwide, continues to prove the flexibility of these companies in continuing their operations. This article tackles how BPO companies ensure data and cybersecurity when working from home due to the pandemic.

BPO companies and in-house employment

BPO companies value data and cybersecurity by following strict security measures in their daily operation. They keep employment in-house to monitor and ensure the security of their data. Most service providers, meanwhile, invest in high-quality infrastructures and backups in case of an electric outage and data breach.

Compliance is also mandatory for its operation. BPOs in India and the Philippines, the top outsourcing countries, apply for ISO and HIPAA standards to ensure that their operation meets the international standards. Keeping employees in-house helps process and compliance monitoring easier since the operation is done in a single location.

The impact of COVID-19 to in-house work

The global pandemic has affected the majority of businesses and in-house employment. Lockdowns in different countries have forced them to either halt operations or put their employees on remote work. The outsourcing industry also felt the challenges brought by this. 

Several countries have taken measures to continue their operations and stay business as usual. Work-from-home (WFH) employees are provided with equipment and internet connection to continue their work. Skeletal workforce and those who cannot render WFH are provided with accommodations in nearby hotels and lodging.

How remote work affects security for BPOs

According to Concentrix, a distributed workforce setup in the BPO industry is highly unusual since most of the operations are kept in-house

These companies know that remote working imposes risks in the cybersecurity of a business. An employee using a shared public network can pose a vulnerable threat to their client’s information. Without a VPN and strong firewall settings, their IP address, location, and data are exposed to malicious activities online. 

Encryptions are also important in protecting the company identity. Storages with weak encryptions also give way for hackers to steal critical information and use it for fraudulent transactions online or in the real world.

How to keep up with data security

The outsourcing industry is a flexible one. With the help of technology, BPO companies maintain the security of their data and processes remotely. The flexible arrangement has been a part of their business continuity plan in these unusual times. These examples show how BPO companies in the Philippines made a solution for working from home.

Data security

Letting their employees use a personal computer or a laptop may be ideal for creative, programming, and design roles. However, it won’t work for accounting and other roles that deal with critical customer and business information. 

With this, most companies provided the equipment for their tasks. Their data is either stored in the desktop’s hard disk or a cloud drive with encrypted security. Each storage is password-protected which only the employee and their employers can access.

Cybersecurity

Another risk of using a personal device for work is cybersecurity. A personal laptop does not have the adequate tools to protect their system from suspicious activities online. Using a shared connection even poses more threat to this. 

Desktops provided by the companies have secured VPN and firewall that protects them for their entire operation. For employees with slow or shared connections, companies provide a portable broadband connection for a smoother workflow.

Streamlined processes

Even in remote work, BPOs imply strict measures to ensure that their processes are streamlined. Employers have mastered using work collaboration tools and other online services while in the office so they can keep track of their work in real-time. 

Call centres, for instance, have a single CRM system used to record customer issues, capture information, and track issues via tickets.

The skeletal workforce, meanwhile, will supervise and monitor the progress of the deployed teams. They are also tasked to check the work quality of their employees, process transactions, close sales deals, and report to the client about their tasks.

Work collaboration

Deployed teams have little to no worries in work collaboration online. Many employees already use several tools such as Slack and Skype for communication, G Suite for documentation, and CRM apps for capturing and encoding data.

Employers also use screen monitoring software to track employees’ attendance and activities. This helps them have an overview of their performance, the total hour of their work, and the websites they have visited. Project monitoring tools, meanwhile, helps them keep track of the progress of the entire project and delegate tasks through their team.

Author Bio

Derek Gallimore is as passionate about outsourcing as he is for business and entrepreneurial-ism. Outsourcing is a booming industry. Derek believes that every business owner should be fully aware, and utilise this incredible opportunity. In response to a general lack of information, he has founded Outsource Accelerator. Outsource Accelerator is the world’s foremost independent and unbiased source of outsourcing information advisory and education.

The post Ensuring Data Security with Business Process Outsourcing Companies appeared first on Heimdal Security Blog.

Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic

The coronavirus pandemic is not only the first time in history when a biological virus also affects the cybersecurity industry (through phishing attacks and COVID-19-themed malware) but the way the breakout has been handled so far also resembles how certain IT decision-makers may react when it comes to dealing with security issues.

So far, the crisis has been approached from different angles by governments around the world. The pandemic is now causing major disruptions in the way we live and work, and perhaps, irreversibly. It is an unprecedented health and economic disaster, which puts our collective ability to respond to the test.

How prepared are governments? How about us as citizens? Why don’t we all focus on prevention rather than on dealing with the consequences?

A comparison between decision making in Cybersecurity and the COVID-19 pandemic

If you think about it, in many cases, cyber-attacks and malware behave and spread in ways similar to a pandemic. Some digital threats are even called “viruses”, after all.

But how do cybersecurity leaders generally make decisions compared with how currently government officials are dealing with the COVID-19 pandemic?

Without the intention of trying to oversimplify the complexity and severity of the COVID-19 pandemic, I’ve discovered some similarities that I would like to point out.

#1. Inaction fueled by optimism bias

Even though we like to think of ourselves as rational creatures, it’s in human nature to disregard risk associated with – well, anything…

Why? The optimism bias phenomenon is to be blamed. In short, it refers to the belief that we have lower chances of being affected by negative events than other people and that we are more likely to experience positive events than our peers.

The term was coined by Neil D. Weinstein in 1980, who through his experiment discovered that most college students thought their chances of developing a drinking problem or getting divorced were lower than that of their colleagues. Simultaneously, the majority of these students also believed that the odds of positive things happening to them (such as owning a house and growing old) were much higher.

In a recent article, Marie Helweg-Larsen, Professor of Psychology, argues that certain people are refusing to change their behavior during the current coronavirus pandemic due to optimism bias. For instance, if you don’t believe chances are you may be infected, you might think that interacting with your grandmother won’t be harmful. This way, due to the infection’s uncertainty, you tend to minimize risk.

The perception around risk can be difficult to change. But since social distancing and staying at home are now typically considered the moral thing to do, people may be more likely to change their attitude when thinking about keeping others safe (and not themselves, in particular). So, no longer focusing on your own personal risk may fuel a more protective behavior.

Obviously, not only regular citizens found themselves under the optimism bias since the COVID-19 pandemic has emerged. In the same manner, leaders around the world have been crippled by inertia and tended to underestimate the critical impact the novel coronavirus would have on their countries, healthcare systems, and the economy.

How common is optimism bias in cybersecurity?

Of course, optimism bias can also be observed in the cybersecurity field. In short, this phenomenon prevents some security leaders from taking preventative measures and therefore hinders companies from achieving a good security posture.

The results of a study revealed that security executives are indeed affected by the optimistic bias. The report concludes they thought their risk to be substantially lower than that of the companies they were compared with. Furthermore, they seemed to be aware of the existing risks, yet still can not completely grasp the magnitude of a potential accident.

The same study has shown that subjects, at the very least, acknowledged their interconnectedness with their business partners. Even though they considered themselves to be less prone to risk than other companies, they seemed to perfectly understand that they could themselves become victims due to the third-parties they partnered up with. These dangers are nowadays commonly referred to as Supply Chain Attacks or Vendor Email Compromise (VEC) threats.

How to avoid bias when building your cybersecurity strategy

Biases impact decision-making processes and obviously, the cybersecurity industry is no exception to the rule.

So, how can you, as an IT decision-maker, avoid being under the influence of cognitive biases?

Here are a few points to consider:

  • Becoming aware of optimism bias and accepting that the phenomenon is an inherent part of us as humans. This is the first step toward taking impartial, unbiased decisions.
  • Looking at real-life examples. Understanding how organizations that match your own profile were impacted by cyberattacks and analyzing how your company would react when faced with a similar scenario. Would it be prepared to deal with an attack or miserably fail? How cyber resilient is your organization?
  • Thinking about the overall positive impact of a strong cybersecurity strategy on your business. Now, organizations should not simply begin applying scare tactics upon themselves and should start realizing how threat prevention and mitigation will keep their company up and running.

#2. Testing and micro-segmentation

So far, countries that have proved to be the most successful in managing COVID-19 infections behaved the same way cyber resilient organizations do. And the ones that failed to keep the epidemic under control did not have all the prevention and mitigation measures in place.

For instance, as the epidemic was (not so) slowly increasing, Britons were encouraged to “keep calm and carry on” and let the herd immunity strategy, which was heavily criticized in the end, do the trick. Prime Minister Boris Johnson later admitted that Britain was going through the “greatest public health crisis for a generation” and started implementing some forms of social distancing measures.

After the first American case was announced in late January, when asked if he believed this would turn into a pandemic, President’s Donald Trump response was “No. Not at all. And we have it totally under control. It’s one person coming in from China, and we have it under control. It’s going to be just fine.”

In early March, Trump was still suggesting that the virus was “less serious than the flu” and reassuring people that “It will go away. Just stay calm. It will go away.” Meanwhile, the U.S. was falling behind on testing and some Trump administration officials were responding with untruths, suggesting that anyone who wanted could get tested when in reality, the shortage of testing kits was being revealed. As of March 30, 2020, the U.S. has the most confirmed COVID-19 cases in the world, surpassing China, Italy, and Spain.

In the meantime, South Korea, Singapore, and Taiwan have managed to contain the outbreak due to diligent testing and social distancing measures.

Below you can see the number of Tests conducted vs. Total confirmed cases in different countries around the world:

Along the same lines, the same testing (or monitoring) practices should be followed in cybersecurity.

Should threats remain hidden inside your organization, there will be room for lateral movement and future exploitation. However, the spread of malware infections can be stopped if you put a segmented architecture based on Zero Trust in place. This model originates from the belief that one should never trust anything inside an organization by default and should always verify everything in the first place. Zero trust networks are based upon micro-segmentation, which divides perimeters into small areas so that certain parts of your network remain isolated and have separate access. In case a data breach occurs, micro-segmentation limits further exploitation of your network.

What’s more, simply because people aren’t displaying any visible symptoms of COVID-19, that doesn’t necessarily mean they are not infected and therefore shouldn’t get tested. There have been cases of coronavirus false-negatives so far, which leaves experts worried about this type of inaccuracy amidst the outbreak.

However, even though universal testing may sound utopic due to logistical constraints and shortage of testing kits, the same should not apply when it comes to your organization’s security.

Most nations that have had a hard time enforcing social isolation rules have witnessed COVID-19 infections growing quicker. Italy, for instance, around a week ago, when around 41,000 people were infected and the outbreak was already out of control, was charging 50,000 individuals for breaking isolation laws. Fast forward another week later, the cases in Italy had almost doubled.

On the other hand, after imposing draconian lockdown measures and despite being the outbreak’s original source, China managed to flatten the coronavirus curve. They tried to proactively find infections rather than just passively wait for symptoms to develop. As you may already know, this approach is also considered a best practice in cybersecurity.

What’s more, a study has shown that as human mobility decreased in China after social distancing measures were put in place, so did new infections.

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

As you can see in Graph a, human mobility dropped after January 23, 2020, and was considerably lower than compared to January 2019, when cordon sanitaire (the health measures aimed at controlling the spread of the disease) was put in place for Wuhan. And after this date, the number of coronavirus cases and infection rate also started decreasing, as you can notice in the charts below:

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

#3. Improving your defenses and mitigating risk

During this critical period, hospitals and governments had to beef up their defenses against COVID-19. Basically, now more medical supplies than ever, such as gloves, gowns, or ventilators, have to be purchased. Needless to say, having the right number of protective equipment is vital. However, unfortunately, many countries are unprepared, even though they should have been able to see a crisis like this one coming.

“When we have done exercises in the past for pandemic preparedness, supply chain issues were a well-documented challenge”, commented Saskia Popescu, an epidemiologist focused on hospital preparedness, for Vox.com. “This is something we’ve known about — maybe not to this extent, but this isn’t a shocker. It’s more surprising that we let it get this bad.”

Knowing that disaster could strike anytime is not to be neglected.

In a similar fashion, the same reasoning can be applied to an organization’s cybersecurity. Since being aware that cyber-attacks and data breaches can linger around the corner, would you not wish to protect your digital assets in the best possible way?

Only through proactive security measures, such as staying on top of your patching or scanning your organization’s incoming and outgoing traffic through DNS filtering coupled with reactive defenses, like using a next-gen Antivirus and then extending your defenses to email security and privileged access rights management, your organization can achieve true cyber resilience.

What organizations can learn from a cybersecurity standpoint

First of all, security leaders should accept that any organization is exposed to cyber threats. After all, it’s a matter of when (not if).

Secondly, another vital step refers to testing (or in other words, gaining visibility inside your organization). This is how you can understand exactly if or which parts of your business are being affected and in case of an existing infection, be able to address it correctly. As I’ve mentioned before, micro-segmentation is recommended. Dividing your network into different security segments with fine-grained security controls will help you isolate areas and limit the spread of a potential infection.

Last, but not least, organizations should operate with a prevention-first mindset and combine proactive and reactive protection measures. Prevention is still the best cure, after all.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Bottom Line

In today’s unprecedented context, how long the COVID-19 pandemic will last is still uncertain. However, what is clear is that it has raised highly complex issues and revealed serious flaws in crisis management in many countries around the world. The outbreak only shows that we are completely unprepared to deal with it. However, it’s (probably) not too late to act now, remain optimistic, and learn how to prevent future outbreaks.

The post Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic appeared first on Heimdal Security Blog.